W, -generate-pin Default Pin Generator by devttys0 team Belkin D-Link Lab : Crack WPA2 PSK network With Reaver & PixieWPS ScenarioĪttacker – Kali Linux(Sana) Machine (not VM) P, -pixiedust-loop Set into PixieLoop mode (doesn't send M4, and loops through to M3)
2, -p2-index Set initial array index for the second half of the pin 1, -p1-index Set initial array index for the first half of the pin l, -lock-delay= Set the time to wait if the AP locks WPS pin attempts d, -delay= Set the delay between pin attempts p, -pin= Use the specified 4 or 8 digit WPS pin
Z, -no-auto-pass Do NOT run reaver to auto retrieve WPA password if Pixiewps attack is successful K -pixie-dust= Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek) q, -quiet Only display critical messages v, -verbose Display non-critical warnings (-vv for more) a, -auto Auto detect the best advanced options for the target AP o, -out-file= Send output to a log file c, -channel= Set the 802.11 channel for the interface (implies -f) i, -interface= Name of the monitor-mode interface to use Since this tutorial focuses on reaver, only reaver options are shown. References: Wiki, HTG, Infosec Institute Options Pixie WPS can be executed alone or with the updated reaver package. PixieWPS is a tool which finds the WPS PIN from the captured hashed. This attack is only applicable to vulnerable devices. Then this PIN can be used by reaver to perform an online attack against the router to get the real passphrase. The PIN from reaver is put against the hashes received which confirms the real PIN.
He discovered that lack of randomization in the components of the 2 halves of the PIN would make offline bruteforcing possible. While the 2 halves of the PIN is exchanged, if the components of these packets are not properly randomized, the real PIN generated by Reaver could be used to perform an offline attack. Recently, a newer flaw was discovered by a security researcher named Dominique Bongard. It does an online attack on a WPS enabled AP trying out about 11000 PINS. A reaver is a tool which does exactly the same. So there is a drastic reduce in the number of guesses and eventually, it can be brute-forced in lesser time periods. So a total of 11000 guesses only, where it should be 10^8 = 100000000 guesses. So first half leaves 10^4 = 10,000 guesses & 2nd half leaves 10^3 = 1000 guesses.
One important thing to note here is, the actual passphrase is not exchanged during WPS initiation. Then the client re-associates with the new credentials & signatures. After this is complete, the AP disassociates with the client.
At the end of this transaction, the Client will have the encryption key & the AP’s signature so that it’s ready to be connected to the encrypted network.
Basically in WPS, the Access Point & the Client exchange a series of EAP messages. WPS is Wifi Protected Setup designed to quickly & easily authenticate a client to an AP mainly aimed for home users. PixeWPS is a new tool to brute-force the exchanging keys during a WPS transaction. Reaver is a tool to brute-force the WPS of a WIFi router.